python

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 28, 2025 License: MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var DjangoCsvWriterInjection *analysis.Analyzer = &analysis.Analyzer{
	Name:        "django-csv-writer-injection",
	Language:    analysis.LangPy,
	Description: "Using the built-in csv module with user input can allow attackers to inject malicious formulas into CSV files. When opened in a spreadsheet, these formulas may execute scripts that steal data or install malware. To mitigate this risk, use defusedcsv, a drop-in replacement that helps prevent formula injection.",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityWarning,
	Run:         checkDjangoCsvWriterInjection,
}
View Source 
var DjangoInsecurePickleDeserialize *analysis.Analyzer = &analysis.Analyzer{
	Name:        "django-insecure-pickle-deserialize",
	Language:    analysis.LangPy,
	Description: "Insecure deserialization with pickle, _pickle, cpickle, dill, shelve, or yaml can lead to remote code execution. These libraries execute arbitrary code when loading untrusted data",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityWarning,
	Run:         checkDjangoInsecurePickleDeserialize,
}
View Source 
var DjangoMissingThrottleConfig *analysis.Analyzer = &analysis.Analyzer{
	Name:        "django-missing-throttle-config",
	Language:    analysis.LangPy,
	Description: "Django REST framework is missing rate-limiting configurations, which could lead to resource starvation or DoS attacks. Add 'DEFAULT_THROTTLE_CLASSES' and 'DEFAULT_THROTTLE_RATES' to enforce rate limits.",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityWarning,
	Run:         checkDjangoMissingThrottleConfig,
}
View Source 
var DjangoNanInjection *analysis.Analyzer = &analysis.Analyzer{
	Name:        "django-nan-injection",
	Language:    analysis.LangPy,
	Description: "User input is directly cast to `bool()`, `float()`, or `complex()`, allowing an attacker to inject Python's `NaN`. This can lead to undefined behavior, especially in comparisons. To mitigate this, either use a different type for casting or explicitly check for all capitalizations of 'nan' before conversion.",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityWarning,
	Run:         checkDjangoNanInjection,
}
View Source 
var DjangoPasswordEmptyString *analysis.Analyzer = &analysis.Analyzer{
	Name:        "django-password-empty-string",
	Language:    analysis.LangPy,
	Description: "Using empty string as password in `set_password()` may cause unintended behavior. To set an unusable password please set the password to None or call `set_unusable_password()`",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityWarning,
	Run:         checkDjangoPasswordEmptyString,
}
View Source 
var DjangoRequestDataWrite *analysis.Analyzer = &analysis.Analyzer{
	Name:        "django-request-data-write",
	Language:    analysis.LangPy,
	Description: "User-controlled request data is directly written to a file, which can lead to security risks such as unauthorized file modification, forced log rotation, or denial-of-service by exhausting disk space. Ensure proper input sanitization or escaping to mitigate these threats.",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityWarning,
	Run:         checkDjangoRequestDataWrite,
}
View Source 
var DjangoRequestHttpResponse *analysis.Analyzer = &analysis.Analyzer{
	Name:        "django-request-httpresponse",
	Language:    analysis.LangPy,
	Description: "User-controlled data in `HttpResponse` may enable XSS, allowing attackers to steal cookies or sensitive data. Escape or sanitize input to prevent script injection. Use secure templating or built-in encoding to mitigate risks.",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityWarning,
	Run:         checkDjangoRequestHttpResponse,
}
View Source 
var DjangoSQLInjection *analysis.Analyzer = &analysis.Analyzer{
	Name:        "django-sql-injection",
	Language:    analysis.LangPy,
	Description: "User-controlled data from a Python request is used in a raw database query, potentially leading to SQL injection and unauthorized data access. Use Django's QuerySets with parameterized queries to prevent injection risks.",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityWarning,
	Run:         checkDjangoSQLInjection,
}
View Source 
var DjangoSSRFInjection *analysis.Analyzer = &analysis.Analyzer{
	Name:        "django-ssrf-injection",
	Language:    analysis.LangPy,
	Description: "User-supplied data is used in a server-side request, potentially leading to SSRF. Mitigate by validating schemes and hosts against an allowlist, avoiding direct response forwarding, and enforcing authentication and transport-layer security in the proxied request.",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityWarning,
	Run:         checkDjangoSSRFInjection,
}
View Source 
var InsecureUrllibFtp *analysis.Analyzer = &analysis.Analyzer{
	Name:        "insecure-urllib-ftp",
	Language:    analysis.LangPy,
	Description: "An unsecured FTP connection was detected where `ftp://` is being used. Data transmitted over this channel is unencrypted, posing a security risk. It is recommended to use `SFTP` instead. Since `urllib` does not support `SFTP`, consider using a library that provides secure file transfer capabilities.",
	Category:    analysis.CategorySecurity,
	Severity:    analysis.SeverityError,
	Run:         checkInsecureUrllibFtp,
}

Functions

This section is empty.

Types

This section is empty.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.